Arizona Hippa Medical Records Release

Document Sample
Arizona Hippa Medical Records Release Powered By Docstoc
					               HIPAA Privacy Training

  Health Insurance Portability & Accountability Act of 1996
  Standards for Privacy of Individually Identifiable Health
  45 CFR Parts 160 and 164

The Health Insurance Portability and Accountability Act (HIPAA) was
enacted in 1996 and focused on improving health insurance
accessibility for persons changing employment or leaving the work
force (portability). HIPAA consists of several different parts. One
part, called the Privacy Rule, concerns the privacy of health
information. The Privacy Rule includes a requirement that all
members of a health care provider’s workforce (including students)
must be trained on the provider’s policies and procedures relating to
This training program was developed through a collaborative effort
of representatives of various Hawaii health care providers. The
collaborative facilities developed and adopted a standard policy with
regard to appropriate uses of health information for educational
purposes. Although the policies of these facilities may be similar,
specific procedures may vary from facility to facility. Therefore,
when you begin your training at a facility, you should familiarize
yourself with the specific policies and procedures of that facility.
                         The Privacy Rule
       Creates national foundation of privacy
       Does not preempt more stringent state
       Extends:
            Certain individual rights to privacy
            Protection of individual’s medical
             records and health information
    HIPAA addresses national standards for electronic data
    transmission, unique health identifiers, security standards, and
    standards for privacy and confidentiality. Covered Entities
    were required to comply with the Privacy Rule by April 14,
    2003. The government believes a national foundation of
    privacy protections is necessary because technological
    advances have resulted in increasing electronic transmission of
    health care data.
    Standardization of the collection, storage and transmission of
    such data has been limited, while public concern about the
    privacy and security of health information have grown.
    It is important to note that HIPAA provides a floor of
    protection, and does not preempt more stringent protections
    provided under state law. Therefore, a health care provider
    must be familiar with both state and federal laws relating to
    the use and disclosure of health information.
                             Who’s affected?
    Direct impact:
     Health plans
     Health care clearinghouses
     Health care providers
         (who transmit health information electronically)
    Indirect impact:
     Business associates
         (vendors, consultants, contracted providers)

    All Covered Entities are required to comply with HIPAA
    regulations. Covered Entities include Health Plans that provide or
    pay the cost of medical care, including employer plans and
    programs, Health Care Providers (doctors, nurses, hospitals, etc.)
    who perform electronic transactions and Health Care
    Clearinghouses (entities that process data from non-standard
    format to standard format, or vice versa).
    Business Associates of a Covered Entity, including vendors and
    consultants, are usually required to comply with HIPAA
    regulations by means of a Business Associate Agreement with the
    Covered Entity. A Business Associate may or may not be a
    Covered Entity.

                          What’s protected?
    Protected health information (PHI) refers to:
         Individually identifiable health information
          relating to:
                Person’s past, present and future health or
                Provision of health services to the person
                Past, present and future payment of health
                 services to the person
         Information transmitted or maintained in any
         Includes data considered individually identifiable

        Protected Health Information (PHI) means any individually
        identifiable health information about a person. PHI is
        protected under HIPAA and, therefore, cannot be disclosed by
        a Covered Entity without the agreement or authorization of
        that person, or as allowed by law. This requirement will be
        described in more detail later. PHI includes information about
        the person’s past, present and future health or condition;
        provision of health care services to the person; and past,
        present and future payment for health services to the person.
        Information transmitted or maintained in any form-- verbal,
        written (paper) or electronic-- is protected.

                          What’s individually
       Name                               Vehicle identifiers and
       Geographic divisions                serial numbers
        smaller than State (with           Device identifiers and
        exceptions)                         serial numbers
       All dates (except year)            Web URLs
       Phone & fax number                 IP address numbers
       E-mail address                     Biometric identifiers
       SSN                                 (including finger, voice
       Medical record #                    prints)
       Health plan beneficiary            Full face photo and
        numbers                             other images
       Account numbers                    Any other unique
       Certificate/license

    The Privacy Rule identifies several data elements which, when
    used alone or in combination, may lead to the identification of a
    specific person. These data elements are referred to as
    “individually identifiable health information”, and are listed on
    this slide.

                         Rules for uses /
                      disclosures of PHI
     Treatment, Payment, Health Care
      Operations (TPO)
     Opportunity to Object
     Agreement or Authorization not
      required (Exceptions)
     Authorization

     There are four general rules about the use or disclosure of
        1. PHI can be disclosed for the purposes of Treatment, Payment or
           Health Care Operations (TPO) without the consent, agreement
           or authorization of the patient.
        2. The patient has the opportunity to agree or object to certain
           use or disclosure of PHI.
        3. In some situations-- usually as required under existing laws--
           PHI may be disclosed without the patient’s authorization or
        4. Finally, in any other circumstance not described above, the
           patient will need to provide written authorization for the use or
           disclosure of his/her PHI.

              Permitted Uses of PHI
    Uses/disclosures permitted for:
       Treatment
             Some facilities may still require patient
              authorization for release of PHI
       Payment
       Health care operations
          (quality improvement, staff performance review, training
            in areas of health care, accreditation, medical review,
            audits, business planning and development, general
            administration, etc.)
    Use or disclosure of PHI is permitted for a Covered Entity’s
    Treatment, Payment and Health Care operations.
    A Covered Entity may also disclose PHI to a health care provider
    for treatment purposes. Many facilities now release PHI for
    treatment as long as they receive a request stating that the
    provider is involved in the patient’s treatment and the PHI is
    needed for the patient’s treatment. It is important to recognize,
    though, that a facility can be more stringent and may still require
    written authorization, consent or other verification to release PHI
    for treatment.
    Covered Entities can also release PHI to each other for for either
    Covered Entities’ payment purposes and certain health care
    operations as long as each Covered Entity has or had a
    relationship with the patient who is the subject of the PHI and the
    information released is relevant to that relationship. Examples are
    provided on slide 26.
                 Opportunity to Object
         Facility directories
         To clergy
         To persons involved in individual’s
         Notification purposes
         Disaster relief purposes

        Under the Privacy Rule, a Covered Entity can use or disclose
        PHI for certain purposes as long as the patient verbally
        agrees, or the patient has been given an opportunity to
        object to the disclosure and has not objected. These
        purposes are listed above.
        Each facility has established procedures about how these
        uses or disclosures are implemented. See the Matrix for
        information about each facility’s procedures. Be sure to
        review this information before you begin your training at a

      Agreement or Authorization
       Not Required (Exceptions)
 Required by law                       Coroners, medical
 Public health activities               examiners & funeral
 Victims of abuse/                      directors
  neglect/domestic violence             Organ/tissue donations
 Health oversight                      Research purposes
 Judicial/administrative               Serious threat to
  proceedings                            self/others
 Limited law enforcement               Specialized
  purposes                               government functions
                                        Worker’s comp

    In certain situations, disclosure is permitted without an
    authorization or an opportunity to object. This slide lists the
    types of disclosures that are allowed without the patient’s
    authorization or agreement. Many of these disclosures are to
    government officials acting in a professional capacity. In
    general, students would not make these types of disclosures.
    For each of these types of disclosures, the Covered Entity must
    follow certain rules, in terms of how and what PHI is released. In
    addition, the Covered Entity must track and account for these
    disclosures. Therefore if you receive an inquiry that relates to
    these types of disclosures, you must check with the patient’s
    attending physician, the facility’s nursing staff or the facility’s
    Privacy Officer before you release any information.

  For all other uses and disclosures of PHI

     A valid authorization from the patient is required for any
     other disclosure of PHI.
     For example, if a patient applies for life insurance, before
     the facility can disclose PHI to the life insurance
     company, the patient must provide a signed authorization
     form to the facility.

                          Notice of Privacy
        Describes to patients how their protected
         health information may be used/disclosed
        Details patient’s legal rights in regards to
         their PHI and how to exercise these rights
        Details legal obligations of covered entity
         to protect PHI

     The Covered Entity must give the a Notice of Privacy Practices,
     which describes the ways the Covered Entity could use or
     disclose PHI.
     A health care provider who has a direct treatment relationship
     must provide the Notice at the time of the first service delivery,
     or in an emergency situation, as soon as possible.
     The Covered Entity must also make a good faith effort to obtain
     the patient’s written acknowledgement of receipt of the Notice.
     If the acknowledgement was not obtained, the Covered Entity
     must document the reason why the acknowledgement was not

                     Individual’s Rights
       To receive Notice of Privacy Practices
       To inspect and/or obtain copy of PHI
       To request to amend PHI
       To request limits on certain
        uses/disclosures of PHI
       To receive accounting of disclosures
       To receive confidential communications
       To file a complaint

     HIPAA gives the patient rights to privacy and accessibility with
     regard to his/her PHI. These rights are listed on this slide.
     Each facility has procedures about how the patient may
     exercise these rights. Refer any patient with questions about
     his/her rights under the Privacy Rule to the facility’s Privacy

                   Other Requirements
        De-identification of PHI
        Minimum necessary
        Workforce Training
        Verification Process
        Business Associate Contracts

     The Privacy Rule includes several other requirements:
     • De-identification is the process of stripping PHI of all
       individually identifiable elements (see slide 5).
     • The minimum necessary standard (e.g. need-to-know) will be
       covered later.
     • The Covered Entity must train all members of its workforce on
       its policies and procedures related to privacy. Students are
       considered part of the facility’s workforce, which is why you are
       completing this training.
     • Verification process refers to a requirement that a Covered
       Entity must verify the identity and authority of a person who is
       requesting to have access to PHI.
     • Finally, a Covered Entity must enter into a Business Associate
       Contract with a person or entity who provides certain types of
       services for the Covered Entity and who accesses PHI in the
       course of providing those services.
                        Other Restrictions
       Marketing
       Fundraising
       Specially Protected Health Information
             Additional protections under Hawaii
              State law relating to release of HIV,
              mental health and substance abuse
              treatment records

     The Privacy Rule imposes other restrictions on the use or
     disclosure of PHI for marketing and fundraising. Those
     restrictions will not be discussed here. If in the future, you are
     involved in marketing or fundraising, you will need to
     familiarize yourself with applicable sections of the Privacy Rule.
     As stated previously, the federal Privacy Rule does not preempt
     more stringent state law. In Hawaii, certain information, called
     specially protected health information, are afforded more
     stringent protection. Under Hawaii State law, release of
     specially protected health information requires the patient’s
     consent, including for treatment and payment purposes.

             What’s consequence
             of non-compliance?
        Penalties:
            Civil: $100 per violation; up to
             $25,000 per year
            Criminal: up to $250,000 and or
             10 years in prison

     There are penalties for violating or failing to
     comply with the Privacy Rule. A Covered Entity
     may be subject to civil and criminal sanctions that
     include monetary fines and imprisonment.

     Facilities required to sanction members
      of workforce (includes “students”)
      who violate policies and procedures
      relating to privacy and security of
      health information.
     Student sanctions may include
      suspension or termination of access
      privileges to PHI and/or participation
      in educational programs at facility.

      A Covered Entity is required to have a process for
      sanctioning workforce members who violate privacy
      policies and procedures. Student sanctions may be
      levied by the facility and/or the educational program
      with which you participate.

                What you need to know
         to operate in different facilities
         Facility Directory
         Family Involvement
         Minimum Necessary
         Appropriate Educational Access/Use
         Requesting/Disclosing PHI for
         Request/Disclosures to Govt. agencies
         Patient Requested Restrictions on

     As stated previously, privacy training includes training about
     the facility’s policies and procedures. Each facility may
     implement its procedures differently. See the Matrix for
     information about each facility’s procedures. Be sure to
     review this information before you begin your training at a

             What is a Facility Directory?
          The information a hospital releases to the
           media or the public when they call to ask
           about a patient
          This information is limited to:
                Location
                Condition
          May only release info in the directory to
           people who ask for patient BY NAME

         “Facility directory” requirements apply to hospital inpatients.
     The hospital maintains a list of inpatients. If a caller or visitor asks
       for a patient BY NAME, the hospital may:
             1. Acknowledge the patient’s presence;
             2. Provide the patient’s room number; and
             3. Provide a one word description of the patient’s condition.
     This is the maximum amount of information that may be
       disclosed for facility directory purposes.
     Facility directory requirements apply to inquiries by members of the
       media, as well as other callers or visitors.

                          Facility Directory
        Patient may ask hospital to NOT release
         information to media or others who call
        Each hospital will have process to identify
         these NO INFORMATION patients
        YOU must be aware of each hospital’s codes
         and process to identify these patients
        DO NOT release information in violation of
         the patient’s information status

     The patient has the right to object to disclosures for facility
     directory purposes. In other words, patient may tell the hospital
     to disclose no information about him/her to callers or visitors.
     The hospital must honor the patient’s request for privacy. As a
     member of the hospital’s workforce, you must not disclose
     information about a patient with “No Information” status to
     callers or visitors.
     Each hospital has established procedures for honoring patient’s
     request. See Matrix for details.

                          Facility Directory
       Anyone asking for patient will be told, “We
        have no information regarding the

      If patient has requested “No Information” status, the hospital
          will not:
           1. Acknowledge the patient’s presence;
           2. Disclose the patient’s room number;
           3. Describe the patient’s condition;
           4. Accept flowers, gifts or mail for the patient.
      This restriction applies to family members, friends, or any one
         else who may call or visit the hospital. They will be told,
         “We have no information about a person by that name.”

                    What should I do?
  Scenario #1:
  Q: I am approached in the hallway by someone
     who asks me if I know what room a patient is
     in. I saw the patient’s name on the unit I just
     left. What should I do?

  A: Refer the person to the nurses’ station,
     information desk, or hospital operator. You
     do not know whether the patient has
     requested a NO INFORMATION status or
     other restrictions.

     This scenario may present a cultural change, as most
     healthcare providers want to be helpful to visitors,
     understanding that family members may be worried about
     their loved one. However, we need to be mindful of the
     patient’s right to privacy.

                     Family Involvement
        A patient’s health information may be
         disclosed to family/others if:
              Patient gives verbal agreement,
              Patient has opportunity to object and does not, or
              You can infer from circumstances that patient
               does not object
        Emergency/incompetent patients - Release
         information using professional judgement in best
         interests of patient
     Examples of Permitted Disclosures to Family, Friends or Others:
     1. Daughter accompanies elderly patient into exam room. The
        patient says, “Can you explain it to my daughter?” You may
        provide instructions to the daughter.
     2. Wife goes to pharmacy and asks to pick up the prescription that
        Dr. Young called in for her husband. You may give the
        medications to the wife.
     3. Patient tells you that neighbor has been helping him with home
        exercise program. You may speak with the neighbor about the
        patient’s exercises.
     4. You knock on the door and enter patient’s room. There are
        several visitors in the room. You don’t know who the visitors are.
        You say to the patient, “I’d like to talk with you about discharge
        planning. Can we talk now? Perhaps your visitors would like to
        have lunch? Or should I come back a little later?”
     Exception: In an emergency, when the patient is unable to express
       his/her wishes, use your professional judgment. Ask yourself, “Would it
       be in the patient’s best interest if I disclosed the information?”
                     Family Involvement
        Information released must be directly
         relevant to that person’s involvement in the
         patient’s care or payment for that care
        A patient has the right to request that you not
         release information to family/others.
        If a patient asks that you not talk with
         family/others, please refer patient to nursing
     A Permitted Disclosure:
     Friend picks up patient after procedure. Patient will stay with
     friend for a few days. Friend asks, “What do I need to do?” You
     may explain to friend, “Here are her prescriptions. Be sure to
     keep the site dry. Sponge bath only. Call the doctor if the site
     gets red. No housework or lifting more than ten pounds.”
     Not A Permitted Disclosure:
     You may not describe the patient’s previous episodes of care to
     friend-- the Emergency Room visit when she was a possible DUI;
     results of the biopsy she had two years ago; etc.
     Responding to Patient’s Request:
     It’s important that you inform staff of patient’s request to limit
     involvement of family, friends or others. Staff will know how to
     document and follow-up on the request. Each facility has
     established procedures for responding to such a request. See
     Matrix for details.
                         What should I do?
  Scenario #2:
  Q: The spouse of a patient I am seeing
     approaches me in the hallway and begins
     asking me questions about the patient.
     During my assessment visit, the patient
     indicated that she did not want information
     shared with her spouse.
     What should I do?
  A: Patients have a right to not involve family
     members and others in their care. You
     should not share any information with the
     spouse per the patient’s request and you
     should alert the nursing staff about the
     patient’s request.
     The patient explicitly stated that she did not want her health
     information to be shared with her husband. As difficult as it may
     seem, you must honor her request.
     It is also important for you to promptly notify staff about patient’s
     request. They will know how to document and respond to
     patient’s request.
     Once a facility has agreed to a patient’s restriction request,
     everyone-- including students-- must abide by it.

                  Minimum Necessary
       Need-to-Know Rule
       Access is a privilege. Individuals with
        access privileges have an obligation to
        limit access and use to the minimum
        necessary to perform their duties and

      A key element of the Privacy Rule is the minimum necessary
      standard. This is the need-to-know rule. You are only
      permitted to access and use the minimum necessary amount
      of PHI for your specific duty, responsibility or purpose.
      In terms of educational uses of PHI, you must limit your
      access and use to the minimum amount of information
      required for your specific educational activity.
      You would like to review records of ER patients admitted for
      near drowning for a presentation or paper. First, you must
      obtain the required approvals and determine the types of
      information or data that you will need to collect. Then, you
      must limit your access to only the episodes of care that relate
      to the study topic and record only the data elements that are
      necessary to prepare your presentation or paper.

                   Request/Disclose PHI
                 for Treatment Purposes
      May request/disclose PHI for treatment where:
            Request is from a provider to whom you referred
             the patient for treatment or provider involvement in
             patient’s treatment is documented in medical
             record, or
            Patient has signed an authorization or release for the
             disclosure to the provider, or
            Provider has requested, in writing, the PHI for
             treatment purposes

     As a student, you may be asked to release PHI to another health
       care provider who is involved in the patient’s care. Under
       HIPAA, a health care provider may release PHI to another
       provider for treatment purposes without the patient’s
       authorization; however, this disclosure is subject to verification
       of the identity and authority of the requestor. At most facilities
       (see Matrix), you may disclose PHI to another health care
       provider for treatment purposes if:
         1. The provider referred the patient to you
         2. You referred the patient to the provider
         3. The medical record contains documentation of the
            provider’s treatment relationship with the patient
         4. The provider requests the information for treatment
            purposes and the request is made in writing
         5. The patient has signed an authorization or other form for
            the disclosure of the PHI to that provider
            Request/Disclosure of PHI
         to/from government agencies
       Refer to Nursing Staff/Attending
        Physician/Privacy Officer
              Only minimum necessary may be
              Must do an accounting for the disclosure

     Hospitals are required to disclose PHI to government agencies
     for many reasons. Examples include reports of child abuse or
     neglect, infectious disease reporting, reports of unattended
     deaths to the Medical Examiner, etc.
     Most students will not be involved in reporting PHI to
     government officials. However, you may encounter a situation
     in which reporting is mandatory, or a government official, such
     as a police officer, asks you for information. Please consult
     with the facility’s nursing staff, your supervisor or the facility’s
     Privacy Officer before making such a report or releasing
     information to any person who is not a health care provider.
     Such disclosures must follow the minimum necessary rule.
     Additionally, the facility must track or account for such
     disclosures. Therefore, it is important that you know and
     follow the appropriate procedures before you release any
     information to a government official.

       Patient Requested Restrictions
            on Use/Disclosure of PHI
        Facility may have agreed to patient requested
         restrictions on use/disclosures of PHI for
         treatment, payment or health care operations
        YOU must be aware of each facility’s
         practice in this regards and where such
         restrictions would be documented

     Under HIPAA, a patient has the right to request restrictions on
     the facility’s use or disclosure of PHI for treatment, payment or
     health care operations. The facility is not required to agree to
     the patient’s request.
     For example, a patient may not want students to be involved in
     his/her care or to access his/her health information. The facility
     will determine whether or not it will honor the patient’s request.
     Review the Matrix to familiarize yourself with each facility’s
     procedures with regard to such requests. Be aware that when a
     facility has agreed to a patient’s restriction request, as a student,
     you are obligated to honor the request.

                            Use of PHI for
                      educational purposes
        Allowed without patient consent or
        Parameters of use/disclosure of PHI for
         educational purposes:
               Appropriate access
               Minimum necessary for the purpose
               Protect/safeguard PHI
               Appropriate disposal upon completion

     Use or disclosure of PHI for educational purposes is considered
       one of the facility’s health care operations. Therefore, PHI can
       be used by and disclosed to health care students without the
       patient’s consent, agreement or authorization. However, HIPAA
       does place certain limitations on the use of PHI for educational
        1. The facility must establish appropriate controls on the
           student’s access to PHI
        2. PHI disclosed should be limited to the minimum necessary
           for the particular educational use or purpose
        3. The student who accesses PHI is responsible for protecting
           and safeguarding that information and to properly dispose
           of any notes or class documents that contain PHI upon
           completion of the use or purpose.
        4. The student must be aware of and honor any agreed-upon
     Facially de-identified information
        Policy permits use of PHI that is “facially de-
         identified” for educational purposes.
        Remove same identifiers as in de-identified
         information, except may leave in:
               Patient medical record number
               Dates of Service
               Zip codes
        This information is still identifiable under
         HIPAA and remains under federal privacy

     The collaborative facilities permit a student to use PHI that has
     been “facially de-identified” for his/her educational purposes.
     The only difference between de-identified information and
     “facially de-identified” information is that “facially de-identified”
     information can include the patient’s medical record number,
     dates of service and zip code. All other individual identifiers (see
     slide 5) must be removed from the information.
     Under HIPAA, “facially de-identified” information is still
     considered PHI. You must protect “facially de-identified”
     information in compliance with the Privacy Rule.

              “Facially de-identified”
                    means removing:
    Name                               Vehicle identifiers
    Address                             and serial numbers
    Phone & fax number                 Device identifiers
    E-mail address                      and serial numbers
    SSN                                IP address numbers
    Health plan                        Biometric identifiers
     beneficiary numbers                 (including finger,
    Account numbers                     voice prints)
    Certificate/license                Full face photo and
     numbers                             other images
    Web URLs                           Any other unique

      This slide lists the identifiers which must be removed from
      the PHI in order for the information to be considered
      “facially de-identified”.

              Allowable educational
       Treatment
       Observation
       Teaching Rounds
       Retrospective Record/Data Reviews
       Research (with IRB approval)
       Case Presentations
       Patient Logs

      This slide lists the types of educational uses or activities for
      which a student may access PHI.
      Access to PHI or an attempt to access PHI by a student for a
      use or activity other than what is listed above would be
      considered a violation of the facility’s policies and could result
      in sanctions against the student.

                                       Is this okay?
  Scenario #3:
  Q: I heard about a very unusual case in the OR. As a
      medical student I am here to learn. I need to
      know more about the details so that I may gain a
      better understanding of the clinical course. I plan
      to review the records before I leave for the day.
      Is this okay?

  A: No. While it might be argued that educational
     benefit can be gained by reviewing unusual cases,
     such review should be formally approved and
     presented. Individual access to patients’ records
     in this type of situation is not appropriate.
     Electronic records and systems are monitored for
     inappropriate access.

     In this scenario, access may seem to fit under one of the
     allowable educational uses or activities. What do you think?
     The bottom line is that the case may indeed have educational
     value to you. But such review must be organized and approved
     by the appropriate individuals. Do not access patient information
     just because you personally believe it might be educational. Work
     through your instructors and the facility.

          Some Do’s and Don’ts:
      Treatment and Observation
  Can Do                             Cannot Do
     Access medical                    Obtain medical
      records of the                     records of patients
      patients you are                   you are not
      treating/caring for                treating/caring for
     Prepare class work                Use data obtained
      with patient                       from your cases
      identifiers removed                with patient
     Observe patient care               identifiers such as
      with approval from                 name, address, birth
      department manager/                date left in
      supervising faculty               Observe patient care
                                         without appropriate
                                         approval or where
                                         the patient objects

       Here are some do’s and don’ts relating to appropriate
       use/access of PHI for treatment and observation. This
       is not a complete list but will provide you with some
       general guidelines.
          Some Do’s and Don’ts:
              Teaching Rounds
Can Do                               Cannot Do
    Share patient                      Discuss patients in
     information during                  public areas with no
     teaching rounds                     consideration to
    Prepare class work                  surroundings
     using data from your               Include family
     cases with patient                  members in rounds,
     identifiers removed                 unless patient has
                                         agreed or
                                         determination has
                                         been made by
                                         physician that
                                         inclusion is in
                                         patient’s best interest

       Here are some do’s and don’ts for participation in teaching
       One important point must be emphasized. Always use
       discretion and common sense when discussing cases in
       public areas. Do not verbalize details that would
       inappropriately disclose patient information.
               Some Do’s and Don’ts:
                Retrospective Reviews
Can Do                                  Cannot Do
    Access medical                        Use information
     records with written                   collected for
     approval of                            research without
     supervising faculty                    IRB approval
     member                                Publish or publicly
                                            present findings
    Prepare class work                     without IRB
     using collected data                   approval or waiver
     with patient                           of authorization
     identifiers removed                   Contact the patient
    Use aggregate or de-                   or the patient’s
     identified patient                     physician
     information                           Abstract patient

      Here are some do’s and don’ts for retrospective reviews.
      If you are thinking of publishing your findings or making a
      public presentation, you must obtain the approval of the
      facility’s Institutional Review Board (IRB) before accessing
      or collecting patient information from medical records. See
      the Matrix for information about each facility’s procedures.

              Some Do’s and Don’ts:
     Can Do                                      Cannot Do
        With IRB approval:                         Any research without
              Build a database of                   IRB approval or waiver
               patient information                  Publish or publicly
              Access and use patient                present findings that
               identifiable information              identify the patient
               as approved by IRB                    without patient
              Do a public                           authorization
               presentation or publish              Access and collect
               findings using                        patient data in
               aggregate or de-                      preparation for a
               identified information                research project without
                                                     IRB waiver or approval

     There are a number of regulatory requirements for research,
      and the requirements are quite complex. As a student, the
      key points to remember are:
              1. Under the HIPAA Privacy Rule, the creation of a database or
                 repository of patient information may be considered research
              2. You should contact the facility’s Institutional Review Board
                 (IRB) if you intend to review and collect patient information for
                 research purposes. It is prudent to seek guidance from the
                 IRB if you consider publication or public presentation to be
                 future possibilities.

                     What should I do?
  Scenario #4:
  Q: My supervising faculty member has asked me to review
      100 charts of newborn babies to determine whether or
      not the delivery room temperature has an effect on
      babies. Do I need IRB approval?

  A: Maybe. If the intent is purely for quality improvement
     without intent to publish findings and you will destroy
     the database upon completion, then you do not need an
     IRB approval or waiver. But, if you intend to
     publicize, publish or use the data you collected for any
     other purpose and do not get a patient authorization or
     an IRB approval or waiver you would be violating the
     patient’s rights.

     It is sometimes difficult to distinguish between quality
     improvement activities and research. If the patient
     information you are collecting might be considered for use in
     a future research project, it is best to obtain IRB approval.
     See the facility’s IRB for information about its application,
     review and approval procedures.

                Some Do’s and Don’ts:
      Case Presentations/Grand Rounds
Can Do                                   Cannot Do
    Access medical records                 Leave/show the
     with written approval of                following in your
     supervising faculty                     presentation
     member                                      Patient Name
    Prepare for presentation                    Medical Record
     using facially de-identified,                Number
     aggregate or de-identified             Openly present a high
     information                             profile or unusual case
    Limit audience to                       where patient’s privacy
     healthcare                              may be compromised
     students/professionals if               without patient’s written
     presentation might
     inadvertently reveal                    authorization for
     patient’s identity                      disclosure

      Here are some do’s and don’ts for case presentations or
      grand rounds.
      Although you are permitted to retain the patient’s medical
      record number for certain educational purposes, this
      information should not be displayed or revealed during your
      presentation. If the case you plan to present is high-profile
      or extremely rare, obtain the patient’s authorization before
      you use his/her PHI in the presentation or, at minimum,
      ensure that the audience is limited to healthcare students or
                                Patient Logs

Information collected and submitted on
a patient log of your educational
activities must be facially de-identified

   Your educational program may require you to keep a
   Patient Log, a list of patients to whom you have been
   assigned, and to conduct follow-up reviews. As you
   keep your Patient Log, please follow the rules for “facially
   de-identifying” patient information.
                Some Do’s and Don’ts:
      “Facially De-identifying” Patient Data

Can Do                               Cannot Do
    Use generic terms to               Leave patient
     describe a patient                  identifiers in
         36 year old
         white male
                                              Patient/Relatives’
         living in Arizona                    Name
         Admitted in October                 Birth dates
          2002                                Address
         Construction worker                 Employer
    Black out/delete/cut               Take copies of
     out patient                         dictated reports
     identifiers on hard                 home with you
     copy                                (unless facially de-

            Here are some examples about how to “facially
            de-identify” patient information. Remember that
            you are only permitted to retain the patient’s
            medical record number, dates of service, and zip
            code for certain educational purposes.
                 Some Do’s and Don’ts:
                                           Accessing PHI
Can Do                                 Cannot Do
    Request access to PHI                Remove medical records
     through appropriate                   from facility
     channels                             Leave patient records/data
          Request access to               in break room or other
           medical records                 areas where they are
           through Medical                 unattended
           Records                        Out of curiosity, access the
          Submit completed                records of the celebrity who
           appropriate data                was admitted last week or
           request form for data           the records of a patient with
           reports                         an unusual medical

     Each facility has established procedures for obtaining access to
     PHI. See the Matrix for more information.
     If you are assigned to a facility that has implemented an
     electronic medical record, you will probably be able to access
     information about patients with whom you do not have a
     treatment relationship. Keep in mind that simply because you
     are able to access the information does not mean you have
     permission to do so. Each facility has implemented audit trails
     to monitor users who have accessed a patient’s electronic
     medical records. If a facility discovered that you accessed a
     patient’s record and you had no legitimate reason for doing so,
     you could be subject to sanctions.
                                             Is it okay?
  Scenario #5:
  Q: My friend was admitted yesterday after
     collapsing during a bike ride. I am very
     concerned about her progress and would like
     to visit her but I don’t know which room she
     is in. Is it okay if I look up the information in
     the computer system?

  A: No. Using your access privileges to look up
     any information for any patient when there is
     no need to know based on your
     responsibilities in the hospital is a violation
     of patient confidentiality.

     Unless you are directly involved in providing health care for
     your friend, it is not appropriate for you to access her
     electronic medical record. Your friend is entitled to privacy, as
     are all patients.
     As discussed on the Facility Directory slides, please ask for
     your friend by name at the nurses station or information desk.
     As long as your friend has not requested “No Information”
     status, staff will be able to tell you her room number and you
     will be able to visit.
                   Some Do’s and Don’ts:
                Safeguarding Information
Must Do                                  Cannot Do
    Password protect                       Leave information in open
     laptops/PDA’s                           or other public areas
    Shred facially de-identified           Discuss patients in elevator,
     papers when you are done                hallways or the cafeteria
     with them                              Dispose of facially de-
    Insure memory/hard drive                identified information in
     has been wiped clean when               your trash can (it is still
     selling/ disposing of a PC,             identifiable under HIPAA!)
     laptop or PDA                          Share your access
    Encrypt any PHI sent over               codes/cards

    Remember that under HIPAA, “facially de-identified” information is
      still Protected Health Information (PHI). You are responsible for
      keeping the information confidential and secure. Here are some
      examples of safeguards you should follow:
    1. Maintain control over your PDA, class work and other documents that
       contain patient information. Know where they are at all times.
    2. Do not let a friend borrow or share your access codes (log-in) or
       cards for any reason. You are responsible for inappropriate access to
       data or secured areas that occurs under your identification.
    3. When you no longer need health information you have collected,
       dispose of it appropriately. Do not throw it away in your trash can!
    4. Do not send PHI over an open network unless the information is
    5. Always use discretion and common sense. Consider how you would
       want others to protect your personal health information.

  For further information or questions,
  please contact the facility’s privacy


Description: Arizona Hippa Medical Records Release document sample